Tidy up and lint

Signed-off-by: Mark Bolwell <[email protected]>
ansible-lockdown · Jun 11, 2024 · 566c2f0 · 566c2f0
1 parent 3e24f07
commit 566c2f0
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 23 deletions.
diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
@@ -14,15 +14,15 @@
   block:
       - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install cramfs(\\s|$)"
             line: "install cramfs /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist cramfs(\\s|$)"
             line: "blacklist cramfs"
             create: true
@@ -47,15 +47,15 @@
   block:
       - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install freevxfs(\\s|$)"
             line: "install freevxfs /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist freevxfs(\\s|$)"
             line: "blacklist freevxfs"
             create: true
@@ -80,15 +80,15 @@
   block:
       - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install hfs(\\s|$)"
             line: "install hfs /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist hfs(\\s|$)"
             line: "blacklist hfs"
             create: true
@@ -113,15 +113,15 @@
   block:
       - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install hfsplus(\\s|$)"
             line: "install hfsplus /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist hfsplus(\\s|$)"
             line: "blacklist hfsplus"
             create: true
@@ -146,15 +146,15 @@
   block:
       - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install jffs2(\\s|$)"
             line: "install jffs2 /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist jffs2(\\s|$)"
             line: "blacklist jffs2"
             create: true
@@ -179,15 +179,15 @@
   block:
       - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install squashfs(\\s|$)"
             line: "install squashfs /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist squashfs(\\s|$)"
             line: "blacklist squashfs"
             create: true
@@ -212,15 +212,15 @@
   block:
       - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install udf(\\s|$)"
             line: "install udf /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist udf(\\s|$)"
             line: "blacklist udf"
             create: true
@@ -245,15 +245,15 @@
   block:
       - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install usb-storage(\\s|$)"
             line: "install usb-storage /bin/true"
             create: true
             mode: '0600'
 
       - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist usb-storage(\\s|$)"
             line: "blacklist usb-storage"
             create: true

diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml
@@ -12,12 +12,12 @@
   block:
       - name: "1.3.1 | PATCH | Ensure authentication required for single user mode | Emergency service"
         ansible.builtin.lineinfile:
-            dest: /usr/lib/systemd/system/emergency.service
+            path: /usr/lib/systemd/system/emergency.service
             regexp: '/sbin/sulogin'
             line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
 
       - name: "1.3.1 | PATCH | Ensure authentication required for single user mode | Rescue service"
         ansible.builtin.lineinfile:
-            dest: /usr/lib/systemd/system/rescue.service
+            path: /usr/lib/systemd/system/rescue.service
             regexp: '/sbin/sulogin'
             line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
@@ -47,7 +47,7 @@
       - NIST800-53R5_CM-6b
   notify: Systemd_daemon_reload
   ansible.builtin.lineinfile:
-      dest: /etc/systemd/coredump.conf
+      path: /etc/systemd/coredump.conf
       regexp: ^ProcessSizeMax
       line: ProcessSizeMax=0
       create: true
@@ -64,7 +64,7 @@
       - coredump
   notify: Systemd_daemon_reload
   ansible.builtin.lineinfile:
-      dest: /etc/systemd/coredump.conf
+      path: /etc/systemd/coredump.conf
       regexp: ^Storage
       line: Storage=none
       create: true

diff --git a/tasks/section_4/cis_4.5.2.x.yml b/tasks/section_4/cis_4.5.2.x.yml
@@ -68,7 +68,7 @@
         loop_control:
             label: "{{ item.id }}"
 
-      - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts"
+      - name: "4.5.2.3 | PATCH | Ensure system accounts are secured | Lock accounts"
         when:
             - item.id != "root"
             - item.id != "sync"

diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml
@@ -77,14 +77,14 @@
       - auditd
       - rule_5.2.3.6
   block:
-      - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
+      - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected"
         ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
         changed_when: false
         failed_when: false
         check_mode: false
         register: priv_procs
 
-      - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
+      - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | set_fact for auditd rules"
         ansible.builtin.set_fact:
             update_audit_template: true
         notify: Update_auditd_rules